1. Field of the Invention
The present invention relates to a computer system, and deals more particularly with a method, system, and computer program product for handling user identification and password requests for user sign-on with an identity change, where these requests occur during a host access session which is authenticated using digital certificates, after an initial user sign-on has already completed.
2. Description of the Related Art
One of the challenges facing information services (“IS”) professionals today is the difficulty of providing secure access to legacy mainframe host data and applications from modern personal computer-based (“PC-based”) applications. As more large companies move to provide business integration and self-service on the World Wide Web (hereinafter, “Web), there is most often data that is crucial to this movement, but which is based on (and is only accessible through) legacy mainframe host applications. These host applications and their data have, from their origin, been typically protected through the use of the program product commonly referred to as “RACF” (Resource Access Control Facility) or other similar mainframe-based security systems. (“RACF” is a registered trademark of the IBM Corporation.) These mainframe-based security systems typically require a user identification and password in order to gain access to the protected applications and data. Therefore, when a user tries to access data or legacy applications on a host mainframe from a client workstation over a network connection, they normally must provide a separate user identification and password to the host application to satisfy the security requirements of the host security system in addition to the user identification and password they use to access the modern environments (e.g. to access the Internet or Web). This double entry of identifying information is not only redundant but tedious for the user as well.
With the wide-spread use of SSL (Secure Sockets Layer) and certifiable digital certificates for providing security in today's PC-based computing environments, there is a desire to use a client certificate as the basis for a “single system sign-on” to all of a user's Internet-based applications. This includes applications that provide access to legacy host applications and/or data such as IBM's Host-On-Demand, Personal Communications, and Host Publisher products. The way in which users identify themselves to these products should be consistent with how they do so with other Web applications. This will enable minimizing the number of different user identifications and passwords a user must create and remember, and reduce the administrative burden of maintaining security (e.g. by reducing the number of requests for an administrator to reset a forgotten password) for password-protected applications and data.
Digital certificates may be used to authenticate entities, as is well known in the art. U.S. Pat No. 6,128,728 (Ser. No. 09/064,632, filed Dec. 10, 1998), which is titled “Certificate Based Security in SNA Data Flows”, teaches a technique whereby digital certificates are transported in appropriate Systems Network Architecture (“SNA”) data flows between a client and a host for identifying the user to the host application, but this existing technique requires those host programs which authenticate the user to RACF (or other host access control facility) to be modified to use the certificate instead of the traditional user ID (user identifier) and password. This requires an enterprise to upgrade each of its application subsystems in order to achieve the benefits. So for some enterprises, the previous approach may be impractical and unacceptable.
Related U.S. patent Ser. No. 09/466,625, titled “Providing End-to-End User Authentication for Host Access Using Digital Certificates” and referred to hereinafter as “the related invention”, discloses a technique for using digital certificates to authenticate a client in order to allow the client to access legacy host applications and/or data which are protected by a security system such as RACF, where these host applications or systems for managing host data (including legacy database systems) typically require a user identification and password that is supplied separate from that used for the client's sign-on process to the modern environment. Thus, the related invention enables the user to access a legacy host application and/or legacy host data with a single sign-on (i.e. without re-identifying himself), and does not require modifications to the legacy software.
In the related invention, SSL or a similar security protocol is used to establish a connection between a client device and either a Web application server or a Telnet 3270 (“TN3270”) server. The client's digital certificate is required when establishing the SSL connection, according to the prior art SSL specification, to enable the Web application server or TN3270 server to authenticate the client. The certificate is then cached at the server, according to the related invention, and used to authenticate the client to the host-based, legacy security system. Once the security system has successfully authenticated the client, it may return a password or password substitute. (The password substitute is called a “passticket” when using the RACF security system, where a passticket is a relatively short-lived credential that is dynamically generated after a user's identity has been authenticated.) Rather than requiring the user to re-enter his identifier and password to communicate with the protected legacy host system, the Web application server or TN3270 server provides the user's ID and the passticket to the host system, enabling the user to be transparently yet securely logged on to the host system. (The related invention discloses the Web application server or TN3270 server alternatively providing the host system with a user ID and an actual password which has been authenticated by a security system, rather than a user ID and passticket, for those environments in which the passticket concept does not exist.)
However, the related invention addresses the capability only for an initial sign-on sequence to a host application. There may be cases where a subsequent sign-on is required. For example, a particular host application may process transactions that have special security needs (such as heightened security requirements), and which require the sign-on process of obtaining and verifying the user's identification and password again in the context of a special transaction. Or, a legacy application may be written such that it repeats the sign-on process to re-verify the user after occurrence of particular situations, such as an outage of some sort, a dormancy in session activity, etc. As another example, the user may wish to change from using one legacy host application to using another legacy application. Each legacy application typically begins by sending a sign-on screen to the user, with the intent of prompting the user to enter his user ID and password. The related invention does not provide a technique that enables a subsequent sign-on to be processed without requiring the user to re-identify himself during the scope of a single secure session (e.g. without tearing down the SSL session and repeating the secure session establishment), nor is this capability available in the prior art.
Furthermore, there may be cases where it would be desirable to provide different sign-on credentials during a secure host access session, following the initial sign-on. As an example, it may be necessary for the current legacy host application user's supervisor to sign on to the legacy application, such as when a special transaction requiring supervisory authority is to be performed. Or, it may happen that different security credentials are required for a user when he wishes to change from one legacy host application to another. As another example, there may be applications for which it is necessary or desirable to force the user to re-authenticate himself by providing his security credentials again (for example, by swiping his Smart Card through a Smart Card reader) at defined points, such as when a new application transaction begins. Because establishing a secure connection between the client and the TN3270 server or Web application server using a security protocol such as SSL is relatively expensive in terms of computation and networking resources, the performance overhead incurred in re-starting the session in order to supply a different certificate that signifies different user credentials makes this a less-than-optimal solution. Thus, a technique is needed which enables changing the user's credentials within the scope of an on-going secure session. Neither the prior art nor the related invention provide this capability.
Accordingly, what is needed is a technique that overcomes these limitations of the prior art.